Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(4663)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: components/cronet/ios/Cronet.mm

Issue 2937523002: add setter for enable_pkp_bypass_etc (Closed)
Patch Set: add small todo Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « components/cronet/ios/Cronet.h ('k') | components/cronet/ios/cronet_environment.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: components/cronet/ios/Cronet.mm
diff --git a/components/cronet/ios/Cronet.mm b/components/cronet/ios/Cronet.mm
index 489b70c3a1d53ea425d88d94682f753b523930a7..144aa13c9d4829b97edc671882253b5174744b2f 100644
--- a/components/cronet/ios/Cronet.mm
+++ b/components/cronet/ios/Cronet.mm
@@ -34,6 +34,9 @@ using QuicHintVector =
base::LazyInstance<std::unique_ptr<cronet::CronetEnvironment>>::Leaky
gChromeNet = LAZY_INSTANCE_INITIALIZER;
+// TODO(lilyhoughton) make these independent across Cronet instances, i.e.:
+// refresh them on shutdown, and add tests to make sure the defaults are
+// sane.
BOOL gHttp2Enabled = YES;
BOOL gQuicEnabled = NO;
cronet::URLRequestContextConfig::HttpCacheType gHttpCache =
@@ -48,9 +51,10 @@ RequestFilterBlock gRequestFilterBlock = nil;
base::LazyInstance<std::unique_ptr<CronetHttpProtocolHandlerDelegate>>::Leaky
gHttpProtocolHandlerDelegate = LAZY_INSTANCE_INITIALIZER;
NSURLCache* gPreservedSharedURLCache = nil;
-BOOL gEnableTestCertVerifierForTesting = FALSE;
+BOOL gEnableTestCertVerifierForTesting = NO;
std::unique_ptr<net::CertVerifier> gMockCertVerifier;
NSString* gAcceptLanguages = nil;
+BOOL gEnablePKPBypassForLocalTrustAnchors = YES;
// CertVerifier, which allows any certificates for testing.
class TestCertVerifier : public net::CertVerifier {
@@ -225,6 +229,14 @@ class CronetHttpProtocolHandlerDelegate
error:(NSError**)outError {
[self checkNotStarted];
+ // Pinning a key only makes sense if pin bypassing has been disabled
+ if (gEnablePKPBypassForLocalTrustAnchors) {
+ *outError =
+ [self createUnsupportedConfigurationError:
+ @"Cannot pin keys while public key pinning is bypassed"];
+ return NO;
+ }
+
auto pkp = base::MakeUnique<cronet::URLRequestContextConfig::Pkp>(
base::SysNSStringToUTF8(host), includeSubdomains,
base::Time::FromCFAbsoluteTime(
@@ -250,6 +262,10 @@ class CronetHttpProtocolHandlerDelegate
return YES;
}
++ (void)setEnablePublicKeyPinningBypassForLocalTrustAnchors:(BOOL)enable {
+ gEnablePKPBypassForLocalTrustAnchors = enable;
+}
+
+ (void)startInternal {
std::string user_agent = base::SysNSStringToUTF8(gUserAgent);
@@ -267,6 +283,9 @@ class CronetHttpProtocolHandlerDelegate
gChromeNet.Get()->set_ssl_key_log_file_name(
base::SysNSStringToUTF8(gSslKeyLogFileName));
gChromeNet.Get()->set_pkp_list(std::move(gPkpList));
+ gChromeNet.Get()
+ ->set_enable_public_key_pinning_bypass_for_local_trust_anchors(
+ gEnablePKPBypassForLocalTrustAnchors);
for (const auto& quicHint : gQuicHints) {
gChromeNet.Get()->AddQuicHint(quicHint->host, quicHint->port,
quicHint->alternate_port);
@@ -408,12 +427,30 @@ class CronetHttpProtocolHandlerDelegate
if (reason) {
errorDictionary[NSLocalizedFailureReasonErrorKey] = reason;
}
- return [self createCronetErrorWith:CRNErrorInvalidArgument
- userInfo:errorDictionary];
+ return [self createCronetErrorWithCode:CRNErrorInvalidArgument
+ userInfo:errorDictionary];
+}
+
++ (NSError*)createUnsupportedConfigurationError:(NSString*)contradiction {
+ NSMutableDictionary* errorDictionary =
+ [[NSMutableDictionary alloc] initWithDictionary:@{
+ NSLocalizedDescriptionKey : @"Unsupported configuration",
+ NSLocalizedRecoverySuggestionErrorKey :
+ @"Try disabling Public Key Pinning Bypass before pinning keys.",
+ NSLocalizedFailureReasonErrorKey : @"Pinning public keys while local "
+ @"anchor bypass is enabled is "
+ @"currently not supported.",
+ }];
+ if (contradiction) {
+ errorDictionary[NSLocalizedFailureReasonErrorKey] = contradiction;
+ }
+
+ return [self createCronetErrorWithCode:CRNErrorUnsupportedConfig
+ userInfo:errorDictionary];
}
-+ (NSError*)createCronetErrorWith:(int)errorCode
- userInfo:(NSDictionary*)userInfo {
++ (NSError*)createCronetErrorWithCode:(int)errorCode
+ userInfo:(NSDictionary*)userInfo {
return [NSError errorWithDomain:CRNCronetErrorDomain
code:errorCode
userInfo:userInfo];
« no previous file with comments | « components/cronet/ios/Cronet.h ('k') | components/cronet/ios/cronet_environment.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698